Realm Setup (Specific to mod_auth_pubtkt)

This article describes the specific steps in configuring a realm for mod_auth_pubtkt.

Realm Configuration

General Tab

Realm Name: {Realm name identifier}

Corners: Number of corners used in each Grid cell. 8 is recommended in most situations.

Grid Mode: Grid Advanced

Process Type: Custom (or Mod_Auth_PubTkt if it is available)

Process Type Specific Parameters:

className: com.syferlock.gridguard.proctype.ModAuthPubTkt (REQUIRED)

signingKey: The UUID of the GridGuard encryption key used for signing a ticket. The list of valid UUIDs is in the Encryption Keys section of the ACC.(REQUIRED)

cookieDomain: The name and scope of Mod_Auth_PubTkt's authentication cookie. It uses cookie style syntax (i.e. .example.com will be the top level and the sub-levels domains of example.com) (REQUIRED)

sessionTimeout: Defaults to 20. Number of minutes before ticket invalidation.

gracePeriod: Defaults to 1. Number of minutes before sessionTimeout where ticket will be refreshed without needing re-authentication.

returnURLParam: Defaults to back. The URL the user is forwarded to after authentication. 'back' is the refer URL where the user came from.

secureCookie: Defaults to true. Sets the 'secure' cookie flag on the ticket's cookie making it only accessible by the HTTPS protocol.

httpOnly: Defaults to true. Set the 'httpOnly' cookie flag on the ticket's cookie making in accessible by the browser's scripting languages. This may need to be disabled for Java Web Start (JWS) applications.

Grid Options

Enable 2 Form: Checked

Enable GridPin: Checked

Device Configuration: N/A

Enable MyGrid: Allows user to pick a grid layout from a list of allowed layouts. Uncheck to enforce one layout.

MyGrid Options: List of allowed grid layouts.

Default Layout: Sets the default layout for when a user hasn't explicitly changed the layout.

Session Timeout: Session times in seconds. This is mainly use for the Security Center.

Cryptographic Options

2 Factor Options

All of the 2-Factor configurations are supported by mod_auth_pubtkt. Set as needed.

Fields

The fields are very web page template specific. If you are using the default template, the username field is 'username'.

User Groups

Here the admin need to define the groups that are allow to use certain aspects of GridGuard. You need to put the name of the group that will have be allowed to use the different roles. When using external LDAP directories, such as Active Directory, the group is REQUIRED to be in DN format. You can specifiy multiple groups. One group per a line.

Admin Groups: User that are allowed to reset other user GridGuard account infomation. If blank, no user can manage users with this realm.

Helpdesk Groups: <Not currently used>

Authorized Groups: Users that are allowed to register and use GridGuard. If blank, any user can register and use gridguard within the companie's user store.

URLs

Base URL: <Not User>

Authentication URL: <Not Used>

Landing URL: <Not Used>

Logout URL: URL where use is forwarded when the user preforms a logout.

Login Failed URL: URL where the user is forwarded to when the user gives the incorrect credentials.